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Note from the Editor: There were some errors in the last article of the Logic Column. Thanks 
to Claudia Zepeda for spotting them. They have been corrected in the online version of the 
article, available from the CORR archive at http://arxiv.org/abs/cs.L0/0502031. All articles 
published in this column are archived at CORR; the following URL will return them all: http: 
/ / arxiv . org/ f ind/ grp_cs/ 1/t i : +AND+logic+column. 

I am always looking for contributions. If you have any suggestion concerning the content of the 
Logic Column, or even better, if you would like to contribute by writing a survey or tutorial on 
your own work or topic related to your area of interest, feel free to get in touch with me. 



One of the main uses of logic in computer science is in verification, that is, specifying properties 
of systems (I use the term generally), and proving that systems satisfy those properties. A quick 
survey of the verification literature reveals two popular approaches. 

The first approach relies on a logic in which to express properties of systems, and on the 
definition of a satisfaction relation to prescribe when a formula of the logic is true of a system. 
One can then develop techniques such as model checking or theorem proving for establishing that 
a property is true of a system. Let me call this approach logical verification. 

The second approach is based on the following observation: to verify that a system has a par- 
ticular property, it suffices to show the system equivalent to another system that obviously has the 
desired property. The technical meat of such an approach consists in defining suitable notions of 
equivalence, establishing that equivalence preserves the properties of interest, and developing tech- 
niques for proving the equivalence of two systems. Such techniques generally involve manipulating 
equations involving equivalence between systems. Accordingly, let me call this approach equational 
verification. 

The distinction between logical verification and equational verification is not a new one. One 
finds early discussions of a similar distinction in the distributed computing literature. The transition 
axiom method of Lamport [1983], essentially a form of equational verification, was admittedly 
developed to compensate for perceived insufficiencies in logical verification based on temporal logic 
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(when used to specify properties of distributed systems). I find it interesting that the distinction 
occurs in so many places in the literature, in many different fields. The purpose of this article is 
to illustrate the distinction and examine the two approaches in a number of simple settings where 
their relationship is particularly easy to describe, and hopefully to wet your appetite and let you 
investigate other areas where the distinction between logical verification and equational verification 
arises. 

Processes 

Process calculi emerged from the work of Hoare [1985] and Milner [1980] on models of concurrency, 
and are meant to model systems made up of processes communicating by exchanging values across 
channels. They allow for the dynamic creation and removal of processes, allowing the modeling 
of dynamic systems. A typical process calculus is CCS [Milner 1980; Milner 1989], which is the 
foundation of a number of more involved calculi. 

CCS provides a minimalist syntax for writing processes. Processes perform actions, which can 
be of three forms: the sending of a message over channel x (written x), the receiving of a message 
over channel x (written x), and internal actions (written r), the details of which are unobservable. 1 
Send and receive actions are called synchronization actions, since communication occurs when the 
corresponding processes synchronize. Let a stand for actions, including the internal action r, while 
A is reserved for synchronization actions. The syntax of CCS processes is given by the following 
grammar: 

P, Q ::= ai .Pi + ■■■ + a n .P n \ P X \P 2 \ vx.P. 

We write for the empty sum (when n = 0). The process represents the process that does 
nothing and simply terminates. A process of the form X.P awaits to synchronize with a process of 
the form X.Q, after which the processes continue as process P and Q respectively. A generalization 
of such processes is ai.Pi + • • • + a n .P n , which nondeterministically synchronizes via a single a%. 
To combine processes, the parallel composition P±\P2 is used. The difference between sum and 
parallel composition is that a sum offers a choice, so only one of the summands can synchronize 
and proceed, while a parallel composition allows all its component processes to proceed. The 
process vx.P defines a local channel name x to be used within process P. This name is guaranteed 
to be unique to P (possibly through consistent renaming). 

As an example, consider the process (x.y.O + x.z.0)\x.0\y.0. Intuitively, it consists of three 
processes running in parallel: the first offers of choice of either receiving over channel x, or sending 
over channel x, the second sends over channel x, and the third sends over channel y. Depending 
on which choice the first process performs (as we will see, this depends on the actions the other 
process can perform), it can continue in one of two ways: if it chooses to receive on channel x (i.e., 
the x.y.O summand is chosen), it can then receive on channel y, while if it chooses to send on x 
(i.e., the x.z.O summand is chosen), it can then receive on channel z. 

To represent the execution of a process, we define the notion of a transition. Intuitively, the 
transition relation tells us how to perform one step of execution of the process. Note that since there 
can be many ways in which a process executes, the transition is fundamentally nondeterministic. 
The transition of a process P into a process Q by performing an action a is indicated P Q. 

1 In the literature, the actions of CCS are often given a much more abstract interpretation, as simply names and 
co-names. The send/receive interpretation is useful for being easy to grasp. 
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The action a is the observation of the transition. The transition relation is defined by the following 
inference rules: 



a 1 .P 1 H h a n .P n 



—j for j € l..n 



ux.P — > VX.P 



— if a {z,z} 



P' 



P|Q -^P'lQ 



p\Q _U p/|Q/ P|Q P|Q'. 

For example, consider the transitions of the example process above, (x.y.O + x.z.0)\x.0\y.0. A 
possible first transition (the first step of the execution, if you wish), can be derived as follows: 

x.y.O + x.z.O y.O x.O — 
(x.y.O + x.z.O)\x.O y.0\0 
(x.y.O + x.z.O) \x.0\y.0 y.O\0\y.O. 

That is, the process reduces to y.O|0|y.O in one step that does not provide outside information, 
since it appears as an internal action. (The can be removed from the resulting process, as it does 
not contribute further to the execution of the process, although there is an argument that goes 
here and that I am shamelessly sweeping under the rug.). The resulting process y.O\y.O can then 
perform a further transition, derived as follows: 

y.O ^0 y.O jU 
y.O\y.O 0\0. 

In summary, a possible sequence of transitions for the original process is the two-step sequence 

(x.y.O + x.z.O)\x.O\y.O y.O\y.O 0. 

A logic for reasoning about CCS processes was introduced by Hennessy and Milner [1985], called 
simply Hennessy-Milner logic, or HML. The syntax of HML formulas is given by the following 
grammar: 

if ::= true \ -up | (p± A (f2 | [o]<f- 

Formulas describe properties of processes. The formula true represents the formula which is true of 
every process. The formula —xp is the negation of ip, while <p\ A c^2 is the conjunction of (fi and (f2- 
The formula [a]<p, where a is an action (possibly r), intuitively says that for all ways that a process 
can perform action a, it transitions to a process for which ip is true. We define the disjunction 
<pi V (p2 as an abbreviation for - >(- >yi A -^2) and the implication ipi p>2 as an abbreviation for 

-"r^l V <p 2 . 

Following the intuitions outlined above, we can formally define what it means for a formula p> 
to be true for process P, written P |= ip, by induction on the structure of ip: 

P \= true always 
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p i= ^ if p y= ip 



P \= <pi A tp 2 if P \= (pi and P \= ip 2 

P \= [a}p if for all Q such that P —> Q, Q \= (p. 

Instead of using a logic such as HML, a popular way of reasoning about processes is to consider 
a definition of equivalence between processes, and reason equationally about the equivalence of a 
process with an "ideal" process that represents the correct desired behavior. One standard notion 
of equivalence between processes is to take two processes as equivalent if they are indistinguish- 
able from the point of view of an external observer interacting with the processes. A particular 
formalization of such an equivalence is strong bisimilarity [Milner 1980]. A strong bisimulation is 
a relation TZ such that whenever (P, Q) € TZ, we have: 

• If P P', then there exists Q' such that Q Q' and (P, Q') € TZ; 

• HQ Q', then there exists P such that P P' and (P' , Q') e TZ. 

We say P and Q are strongly bisimilar, written P ~ Q, if there exists a strong bisimulation TZ such 
that (P, Q) £ TZ. In other words, if P and Q are strongly bisimilar, then whatever transition P 
can take, Q can match it with one of his own that results in processes that are themselves strongly 
bisimilar, and vice versa. It is easy to check that ~ is an equivalence relation. 

The following result of Hennessy and Milner [1985] highlights the deep relationship between 
logical verification using HML and equational verification using strong bisimilarity. 

Proposition 1 . The following are equivalent: 

(a) P ~ Q; 

(b) For all ip, P \= ip if and only if Q \= ip. 

Based on this observation, we can associate with a process Q (when viewed as a specification) 
the set of HML formulas that Q satisfies, [Q] = {ip | Q \= p}. A simple recasting of Proposition 1 
gives: 

Proposition 2. The following are equivalent: 

(a) P ~ Q; 

(b) For all ip, P \= ip if and only if p € {QJ. 

Thus, a process P is strongly bisimilar to a "specification process" Q if it satisfies exactly the 
formulas [Q] associated with Q. In this sense, we can understand strong bisimilarity as checking 
that a particular class of formulas holds of a process. 

Similar results can be obtained for different notions of equivalence. Strong bisimilarity is a very 
fine equivalence relation; not many processes end up being equivalent. More worryingly, strong 
bisimilarity does not handle internal actions very well. Intuitively, process equivalence should re- 
ally only involve observable actions. Two processes that only perform internal actions should be 
considered equivalent. For instance, the processes r.r.O and r.O should really be considered equiv- 
alent, as they really do nothing after performing some internal (and hence really unobservable) 
actions. Unfortunately, it is easy to check that these two processes are not strongly bisimilar. To 
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address this situation, a weaker notion of equivalence, weak bisimilarity, is often used in practice. 
It is easy to extend HML to deal with this form of equivalence, by introducing suitable modal 
operators. In a similar way, we can extend HML to express recursive properties; this leads quickly 
the propositional modal //-calculus [Kozen 1983]. For much more along those lines, see the excel- 
lent monograph of Stirling [2001]. Furthermore, we can play this game of logical and equational 
verification for processes in the context of the n calculus, which extends CCS with the capability to 
send values over channels [Milner 1999]. An extension of HML capturing some forms of equivalence 
for the 7r calculus is given by Milner, Parrow, and Walker [1993]. 

Programs 

A similar, but slightly more complicated picture, arises for reasoning about programs. To keep 
things as clear as possible, let me consider a very simple class of programs, regular programs. Start 
with a set A of primitive programs. We use a to range over primitive programs. Primitive programs 
are abstract operations we want our programs to perform. The syntax of regular programs is given 
by the following grammar: 

a, (3 ::= a \ a±; a.2 \ ol\ + ci2 | &*■ 

Thus, a primitive program a € A is a regular program. The program a\\ct2 represents the se- 
quencing of programs ot\ and ct2, while the program a\ + ot2 represents a nondeterministic choice 
between programs a\ and ct2- The program a* represent the finite iteration of the program a for 
a nondeterministic number of iterations (possibly none). Of course, the name "regular programs" 
comes from the fact that we can view such programs as regular expressions. 

It is well known how to give a semantics to regular programs: we map a program to a relation 
between initial states and final states. An interpretation for the primitive programs is a map a 
that associates to each primitive program a a binary relation o~(a) on the set of states. Intuitively, 
(si, S2) £ a (a) if executing the primitive program a in state s± leads to state S2- We give a semantics 
to arbitrary programs by extending a inductively to all programs: 

a(ai;a 2 ) = cr(ai) o a(a 2 ) 
a(cci + 02) — o-(a±) U (1(02) 
a(a*) 4 (J a«. 

n>0 

For R and S binary relations, we write R o S for the relation {(«, v) \ 3w.(u, w) € R, (w, v) G S}, 
and R n is defined inductively by taking R° to be the identity relation, and R n+l to be R n o R. The 
map a gives us what is commonly called the input-output semantics of programs. 

To reason about properties of those programs, we consider a logic called propositional dynamic 
logic, or PDL [Harel, Kozen, and Tiuryn 2000]. We start with a set $0 of primitive propositions 
representing basic facts about states. We use p to range over primitive propositions. The syntax 
of PDL formulas is given by the following grammar: 

ip ::= p I -xp I ipi A ip 2 I [a]<p. 

Thus, a primitive proposition p £ <E>o is a formula. The formulas -up and <p\ A (f2 have their 
usual reading, while the formula [a]tp, where a is a regular program, reads "all halting executions 
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of program a result in a state satisfying ip" . As in the last section, we define <p\ V p>2 as an 
abbreviation for ^(^pi A ~^P2) and p>\ => P2 as an abbreviation for ^pi V p>2- Furthermore, we 
define 991 44> p>2 as an abbreviation for (pi =4> 1^2) A (ip2 => pi). We write (a)p as an abbreviation 
for -i[a]-iy>; (a) if reads "at least one halting execution of a results in a state satisfying </?". 

The semantics of PDL is given using Kripke structures [Kripke 1963]. Essentially, a Kripke 
structure is a set of states; think of all the states a program could be in. Following the formalization 
above, programs are interpreted as a relation between initial states and final states, and at every 
state we have an interpretation function telling us what primitive propositions are true at that 
state. General formulas will express properties of moving through that state space. Formally, a 
Kripke structure M is a tuple (S, it, a) where S is a set of states, it is an interpretation function 
assigning a truth value to each primitive proposition p at each state s (i.e., n(s)(p) £ {true, false}) 
and a is an interpretation for the primitive programs, as defined earlier. We define what it means 
for a PDL formula ip to be true in state s of M, written (M, s) (= ip, by induction on the structure 
of (p: 

(M, s) \= p if tt(s)(p) = true 

(m, s) \= ^ if (m, s) y= p 

(AT, s) \= tp! A p 2 if (M, s) |= ip! and (M, s) |= p 2 

(M, s) |= [a]ip if for all s' such that (s, s') £ a(a), (M, s') \= ip. 

Thus, a formula [a] p is true at a state s if for all states s' that can be reached by executing the 
program a at state s, ip holds. We can verify that (a)ip holds at a state s if and only if there is at 
least one state that is reachable by program a from state s such that p holds in the state, hence 
justifying our intuitive reading of (a) p. If a formula ip is true at all the states of a model M, we 
say that ip is valid in M and write M \= ip. If a formula p is valid in all models, we say p is valid, 
and write |= p. 

An alternative approach for reasoning about regular programs is to give a direct definition of 
equivalence between programs, and use equational logic to reason about equivalence of programs. 
For regular programs, a popular notion of equivalence is obtained by taking two programs to be 
equivalent if they denote the same input-output relation on states. This kind of equivalence is 
captured by the theory of Kleene algebras [Conway 1971]. One presentation of this theory is the 
following axiomatization given by Kozen [1994]: 

x + [y + z) = (x + y) + z x + y = y + x 1 + x;x* < x* 

x + = x x + x = x l + x*;x<x* 

x; (y; z) = (x;y); z 1; x = x; 1 = x b + a; x < x a*;b < x 

x; (y + z) = x;y + x; z (x + y); z = x; z + y; z b + x; a < x b; a* < x 

0; x = x; = 0, 

where and 1 are constants representing respectively the empty program (with no executions) and 
the identity program (that does not change the state), and x < y if and only if x + y = y. 

By general considerations of equational logic, the axioms of Kleene algebra along with the usual 
axioms for equality, instantiation, as well as rules for introduction and elimination of implications, 
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constitutes a complete deductive system for reasoning about implications in the theory of Kleene 
algebras [Selman 1972]. 2 

The fundamental relationship between equational verification using Kleene algebras and logical 
verification using PDL is given by the following result, which partly follows from the fact that the 
relational semantics of programs given above forms a Kleene algebra: 

Proposition 3. The following are equivalent: 

(a) a = (3; 

(b) For all if, \= (a)ip <^ (P)<P- 

One distinct advantage with reasoning equationally is that deciding a = (3 is PSPACE-complete 
[Stockmeyer and Meyer 1973], while deciding (= <p in PDL is EXPTIME-complete [Fischer and 
Ladner 1979; Pratt 1978]. 

Is there a way to view a program [3 as a specification against which we can check another 
program a? Recall what we did for processes in the previous section: a process P was equivalent to 
a "specification process" Q if P satisfied exactly the HML formulas associated with the specification 
process Q. Can something similar be done for programs? The answer is yes, and here is a natural 
way to do it. It relies intrinsically on the relationship between regular expressions and finite 
automata, which are almost Kripke structures. By associating with a program a a Kripke structure 
representing that program, we can associate with a "specification program" (3 the set of PDL 
formulas that are valid in the Kripke structure representing (3. One would then hope that a and (3 
are equivalent (according to the theory of Kleene algebras) when the Kripke structure associated 
with a satisfies exactly the formulas associated with (3. And this is indeed the case. Let me make 
all of this precise. 

First, we need to construct a nondeterministic finite automaton A a corresponding to a program 
a. There is nothing original here. The trick is to do this in a way that clearly reflects the 
structure of the program. (Otherwise, we end up pushing much of the equivalence between programs 
into the construction of the nondeterministic automaton, with the result of potentially begging 
the question). In other words, we would like syntactically different programs to yield different 
nondeterministic automata, even when those programs are actually equivalent, such as a and a + a. 
We can do this most easily in two steps, first by inductively constructing a nondeterministic finite 
automaton with e- moves (that is, non-action moves that the automaton can perform at any time), 
second by collapsing the automaton by identifying the states reachable by e-moves, and removing 
the e-moves. Recall that a nondeterministic finite automaton is a tuple A = (Q,qo,Qf,A), where 
Q is the finite set of states, qo is the initial state, Qf is a set of final (or accepting) states, and 
A is a set of transitions, each transition being of the form (q, a, q') and representing a transition 
from state q to state q 1 upon action a € A U {e}. Figure 1 summarizes the construction of the 
nondeterministic finite automaton A a corresponding to program a. 

To view a nondeterministic finite automaton as a Kripke structure is straightforward. The 
states of the automaton are the states of the Kripke structure. We consider only the primitive 
propositions <E>o = {init, final}, where init says that a state is initial, while final says that a state 
is final. The interpretation of primitive propositions enforces this reading. The interpretation of 

2 More precisely, it constitutes a complete deductive system for the so-called universal Horn theory of Kleene 
algebras. 
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We first construct the nondeterministic finite automaton with e- moves A e a , by induction on 
the structure of a: 

A l - ({<?o, qi}, go, {qi}, {(go, a, gi)}) 

A e ai . a2 ± {Qf w Q", q' , Q'}, A' w A" a (Q' f x { e } x {<£})) 

where A e ai = (Q',q' ,Q' f ,A') 
Al 2 = (Q",q'>,Q'},A") 

A e ai+a2 = {Qf w Qf' y 90, Q/ w Q/, A' y A" W ({g } x {e} x {g , g '})) 
where = (Q',q' ,Q' f ,A') 

A a 2 = (Q",%,Q'f,A") 

A e a . ± {Qf U go, Q'f w {go}, A' w (Q^ x {e} x {g })) 
where A% = {Q' ,q' ,Q' f , A'). 

We derive the nondeterministic finite automaton without e-moves A a by identifying states 
that are reachable by e-moves. Let A e a = (Q,qo,Qf, A). Define the following relations on 
states Q: let q —> e q' if there exists a sequence of states gi = g, g2, . . . , qk-i, qt = g' in Q 
such that (<7i,e, g«+i) € A, for i G 1..A; — 1; let g IX q' if either g ^ e q' or g' ^ e g. The 
relation txi is easily seen to be an equivalence relation. Let [g]^ represent the equivalence 
class of the state g, and let [Q]tx represent the set of equivalence classes {[g]tx I q & Q}- 
The nondeterministic finite automaton A a is obtained by taking as states the co-equivalence 
classes of states of A e a : 

A a = ([<5]x, [qoU, [Qf]t*, {([g]x, a, | (g, a, q) G A, a / e}). 



Figure 1: Construction of A a 

primitive programs is given by the transitions in the finite automaton. Formally, if a is a program 
with A a = (Q,qo,Qf,A), the Kripke structure M a = (S a ,ir a ,a a ) corresponding to a is given by: 



■K a (q)(init) 
7T a (q)(final) 



S a — Q 

A jtrue if g = g 
1 false if g / go 

A J true if q G Qf 
] false if q Qf 

a a {a)^{{q,q / )\{q,a,q / )eA}. 



We can now associate with a program (3 (when viewed as a specification) the set of formulas 
of PDL that Mp satisfies, = {ip \ Mp \= ip}. The following result follows rather easily from 
Proposition 3: 

Proposition 4. The following are equivalent: 
(a) a = (3; 
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(b) For all ip, M a \= ip if and only if if € 1(3}. 

Of course, this statement is simply restating the well-known fact that two regular expressions are 
equal (i.e., denote the same language) when their corresponding finite automata recognize the same 
language. 

Let me conclude this section with some comments on PDL. The logic we have used is rather 
poor, in that it cannot be used to reason about programs with conditional statements. If we 
add to the syntax of regular programs a class of programs of the form 99?, interpreted as "if the 
current state satisfies ip, then continue", we can encode a conditional such as if ip then a.\ else 02 
by (<£>?; ai) + ((-199)?; Q2). This addition makes the syntax of programs and formulas in the logic 
mutually recursive. It also means that we cannot give the semantics of programs independently of 
the semantics of the formulas of the logic. With this in mind, we extend a to tests with respect to 
a Kripke structure M by taking 

<*W) - {{ s , s ) I {M,s) \= ip}. 

If we restrict ip? to only use propositional formulas (without occurrences of modal operators [a] (p 
or (a)ip), we get a logic sometimes called poor test PDL. It is possible to reason equationally about 
programs with poor tests by using a variant of Kleene algebras called Kleene algebras with tests 
[Kozen 1997]. If we allow tests ip? to use arbitrary PDL formulas, we get rich test PDL. Rich test 
PDL is very expressive; it lets us write formulas that include programs such as [ai]ip?;a2, which 
says that if all halting executions of ct\ result in a state where 93 holds, then execute 02- It seems 
counterintuitive for programs to be able to perform speculative execution in that way, especially 
since such properties tend to be undecidable for reasonable programming language. I know of no 
equational theory for programs using such strong tests. 

Conclusion 

As the examples above illustrate, there is often a deep relationship between logical verification 
and equational verification. One might be left with the impression that such relationships are 
always present. Unfortunately, the more complex the equivalence, the more difficult it is to capture 
through a logical specification. Some of the most involved equivalences being applied nowadays 
occur in cryptography, where a cryptographic scheme is generally proved correct by showing it is 
equivalent to a simpler scheme which is unimplementable, but more obviously correct (perhaps 
because it uses a trusted third party, or a perfectly private channel) [Goldreich 1998]. A potentially 
interesting venue for exploring logical characterizations of equivalence for cryptographic schemes is 
the recent work of Datta et al. [2004] that attempts to relate and unify such equivalences with a 
notion of equivalence based on a stochastic process calculus [Mitchell, Ramanathan, Scedrov, and 
Teague 2001]. 

Let me close on a remark prompted by my choice of examples. The astute reader will have 
noticed that HML and PDL have much of the similar flavor. They both use formulas involving 
actions and their effects. There is a difference, however, in that formulas in PDL describe the 
actions of a program in a particular environment (given by a state of the corresponding Kripke 
structure) while formulas in HML describe the actions of the environment on a particular process 
(given by the process serving as a model). Thus, despite surface similarities, the logics are meant 
to reason about quite different things, somewhat dual to each other: processes as models and 
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environments in formulas, versus environments as models and programs in formulas. I am curious 
of the extent to which this duality can be made precise, and whether there are insights to be gained 
from it. 
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